def test_tampered_manifest(self):
# MANIFEST.MF does not verify against .SF in either way.
# Was tampered manually.
jar_data = get_data_fn("tampered-manifest.jar")
cert = get_data_fn("javatools-cert.pem")
with self.assertRaises(ManifestChecksumError):
verify(cert, jar_data)
def test_overriden_extension_handling(self):
jar_data = get_data_fn("test_extensions/no-email-protection.jar")
cert = get_data_fn("test_extensions/ca.pem")
self.verify_wrap(
cert, jar_data,
"Signature by certificate without EmailProtection EKU extension failed"
)
jar_data = get_data_fn("test_extensions/no-ku.jar")
self.verify_wrap(
cert, jar_data,
"Signature by certificate without any KU extension failed")
jar_data = get_data_fn("test_extensions/wrong-ku.jar")
with self.assertRaises(SignatureBlockFileVerificationError):
verify(cert, jar_data)
def test_cli_sign_and_verify(self):
src = get_data_fn("cli-sign-and-verify.jar")
key_alias = "SAMPLE3"
cert = get_data_fn("javatools-cert.pem")
key = get_data_fn("javatools.pem")
with NamedTemporaryFile() as tmp_jar:
copyfile(src, tmp_jar.name)
cli_sign_jar(None, tmp_jar.name, cert, key, key_alias)
error_message = verify(cert, tmp_jar.name, key_alias)
self.assertIsNone(error_message,
"Verification of JAR which we just signed failed: %s"
% error_message)
def test_cli_sign_and_verify_ecdsa_pkcs8_sha512(self):
src = get_data_fn("cli-sign-and-verify.jar")
key_alias = "SAMPLE3"
cert = get_data_fn("ec-cert.pem")
key = get_data_fn("ec-key.pem")
with NamedTemporaryFile() as tmp_jar:
copyfile(src, tmp_jar.name)
cli_sign_jar([tmp_jar.name, cert, key, key_alias])
error_message = verify(cert, tmp_jar.name, key_alias)
self.assertIsNone(error_message,
"Verification of JAR which we just signed failed: %s"
% error_message)
def test_sign_with_certchain_and_verify(self):
src = get_data_fn("certchain-data.jar")
key_alias = "SIGNING"
signing_cert = get_data_fn("certchain-signing.pem")
key = get_data_fn("certchain-signing-key.pem")
intermediate_cert = get_data_fn("certchain-intermediate.pem")
root_cert = get_data_fn("certchain-root.pem")
with NamedTemporaryFile() as tmp_jar:
copyfile(src, tmp_jar.name)
self.assertEqual(0, cli_sign_jar(
["-c", root_cert, "-c", intermediate_cert,
tmp_jar.name, signing_cert, key, key_alias]),
"Signing with embedding a chain of certificates failed")
error_message = verify(root_cert, tmp_jar.name, key_alias)
self.assertIsNone(error_message,
"Verification of JAR which we signed embedding chain of certificates failed: %s"
% error_message)
#
# The end.
def test_multiple_sf_files(self):
jar_data = get_data_fn("multiple-sf-files.jar")
cert = get_data_fn("javatools-cert.pem")
with self.assertRaises(VerificationError):
verify(cert, jar_data)
def verify_wrap(self, cert, jar, error_prefix):
try:
verify(cert, jar)
except VerificationError, error_message:
self.fail("%s: %s" % (error_prefix, error_message))
def test_tampered_signature_block(self):
jar_data = get_data_fn("ec-tampered.jar")
cert = get_data_fn("ec-cert.pem")
error_message = verify(cert, jar_data, "TEST")
self.assertIsNotNone(error_message,
"Error: verification of a tampered signature has succeeded")
def test_missing_signature_block(self):
jar_data = get_data_fn("ec-must-fail.jar")
cert = get_data_fn("ec-cert.pem")
error_message = verify(cert, jar_data, "TEST")
self.assertIsNotNone(error_message,
"Error: verification of non-existing key alias has succeeded")
def test_tampered_signature_block(self):
jar_data = get_data_fn("ec-tampered.jar")
cert = get_data_fn("ec-cert.pem")
error_message = verify(cert, jar_data, "TEST")
self.assertIsNotNone(error_message,
"Error: verification of a tampered signature has succeeded")
def test_tampered_jar_entry(self):
jar_data = get_data_fn("tampered-entry.jar")
cert = get_data_fn("javatools-cert.pem")
with self.assertRaises(JarChecksumError):
verify(cert, jar_data)
def test_multiple_valid_sf_files_cert2(self):
jar_data = get_data_fn("test_jarutil/multiple-sf-files-all-valid.jar")
cert = get_data_fn("test_jarutil/javatools-cert-2.pem")
sf_file = "KEY2.SF"
self.assertEqual(verify(cert, jar_data, sf_file), None)
def test_multiple_sf_files_no_cert_specified(self):
jar_data = get_data_fn("test_jarutil/multiple-sf-files-some-junk.jar")
cert = get_data_fn("test_jarutil/javatools-cert.pem")
with self.assertRaises(VerificationError):
verify(cert, jar_data)
def test_multiple_valid_sf_files_cert1(self):
jar_data = get_data_fn("multiple-sf-files-all-valid.jar")
cert = get_data_fn("javatools-cert.pem")
sf_file = "KEY1.SF"
self.assertEquals(verify(cert, jar_data, sf_file), None)
def test_missing_signature_block(self):
jar_data = get_data_fn("ec-must-fail.jar")
cert = get_data_fn("ec-cert.pem")
with self.assertRaises(JarSignatureMissingError):
verify(cert, jar_data)
def test_tampered_signature_block(self):
jar_data = get_data_fn("ec-tampered.jar")
cert = get_data_fn("ec-cert.pem")
with self.assertRaises(SignatureBlockFileVerificationError):
verify(cert, jar_data)
def test_single_sf_file_wrong_cert_specified(self):
jar_data = get_data_fn("test_jarutil/jarutil-signed.jar")
cert = get_data_fn("test_jarutil/javatools-cert.pem")
sf_file = "DOES_NOT_EXIST.SF"
with self.assertRaises(VerificationError):
verify(cert, jar_data, sf_file)
def test_single_sf_file_correct_cert_specified(self):
jar_data = get_data_fn("test_jarutil/jarutil-signed.jar")
cert = get_data_fn("test_jarutil/javatools-cert.pem")
sf_file = "UNUSED.SF"
self.assertEqual(verify(cert, jar_data, sf_file), None)
def test_missing_signature_block(self):
jar_data = get_data_fn("ec-must-fail.jar")
cert = get_data_fn("ec-cert.pem")
error_message = verify(cert, jar_data, "TEST")
self.assertIsNotNone(error_message,
"Error: verification of non-existing key alias has succeeded")
